Re: [Pkg-puppet-devel] Wheezy update of puppet?
On 18:30 Wed 24 May , Paul Wise wrote:
> On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote:
> > In Python/Perl YAML libraries there are ways to safely load YAML
> > files, does Ruby not have the same possibilities?
> After a bit of searching, I wonder if copying the ruby-safe-yaml
> package from wheezy-backports to wheezy and then patching puppet to
> use that might be a good solution.
Just a couple of notes here:
- Wheezy's Puppet is running under Ruby 1.8, which uses the old Syck
YAML library. Ruby 1.9.3 and onwards uses Psych, which indeed
provides a safe_load method. In short, YAML engine is something to be
- YAML safe loading depends on deserializing only known-safe types. We
need to make sure that this will not break the application. In theory
it shouldn't, as the facts in 2.x are plain strings.